Method and system for ensuring connection of a module to an electronic apparatus

ABSTRACT

A method for ensuring that modules ( 3, 4 ) to be connected to an apparatus comprising a processor of a specific type, includes providing these modules ( 3, 4 ) with a code circuit ( 6, 7, 13, 21, 24 ) capable of outputting one or more code words on request. When a module has been connected to the system, the processor of the apparatus reads one or more of the code words from the code circuit ( 6, 7, 13, 21, 24 ) of the module, compares the read code word or words with reference code words stored in the apparatus ( 2 ), and rejects the module if the read code word or words do not correspond to the reference code words. A large number of different code words are stored in the code circuit ( 6, 7, 13, 21, 24 ) of the specific type, and the code circuit is moreover adapted such that a code word can be output correctly only after the lapse of a prefixed period of time, which is considerably longer than a normal output time determined by the implementation of the code circuit, after a previous output of a code word.

TECHNICAL FIELD OF THE INVENTION

The invention concerns a method and a system to ensure that modules tobe connected to an apparatus comprising a processor are of a specifictype, wherein modules of the specific type are provided with a codecircuit capable of outputting one or more code words on request, andwherein the processor of the apparatus, when a module has been connectedto the system, reads one or more of said code words from the codecircuit of the apparatus, compares the read code word or words withreference code words stored in the apparatus, and rejects the module ifthe read code word or words do not correspond to the reference codewords.

The invention also concerns a module capable of being connected to suchan apparatus, and a code circuit as well as a storage medium for storageof data and for use in such a system.

BACKGROUND OF THE INVENTION

Many technical systems comprise an apparatus to which a plurality ofmodules may be connected. Typically, it may e.g. be an electronic devicecomprising a central control unit to which a plurality of externalprinted circuit cards may be connected depending on the use. Theelectronic device may e.g. be a network element in a telecommunicationsnetwork or a control system for a manufacturing process.

Other examples of such modules may be battery packet for a mobiletelephone, a component or a spare part which may be connected to theelectrical system in a car or to the car in general, or a probe for ameasuring instrument.

Such systems have the advantage that the technical solution may becomposed of individually selected modules.

For several reasons, when a module is connected to the system, it may beexpedient to be able to detect whether the other module is of a specifictype. It may e.g. be a matter of checking that the connected module issupplied by the supplier who has also supplied the main system, sincethis is the only way to ensure that the system operates as specified bythe supplier. This may e.g. be the case where probes for measuringinstruments are calibrated for each individual measuring instrument, andwhere it may thus be essential to ensure that the correct probe isconnected.

In respect of high-technology products, extension modules and spareparts for the products are produced in large numbers. However, ithappens frequently that other suppliers make copies having the samefunction as the original products, but at a lower price. It may beexpedient for a manufacturer of the original products to protect himselfagainst copy products, partly because reliability and quality might beimpaired when the original modules are replaced by copy modules, andpartly because of the loss of earnings from the sale of the originalproducts.

It is known to prevent interconnection of such elements by variousphysical obstacles, which, however, are generally easy to imitate by acopy manufacturer.

Further, the art in the software field includes a large number ofmethods for access control and limitation of copying of e.g. discs orCD-ROM with programs such as e.g. games. These methods, however, are notsuitable for preventing connection of hardware modules to e.g. anelectronic apparatus.

Known are also electronic systems in which a code circuit on a modulemust apply a code word before the module will be accepted by the mainsystem, as is known also from e.g. payment cards in financial systems.

When mechanical and electronic systems can be physically accessed,however, it will frequently be possible to expose details of thestructure and thereby evade the methods which just permit combinationwith certain modules. In the case of the code word which has to beapplied by the module, it will e.g. be possible to find the code word byoutputting it in the same manner as is done in the original system.Thus, all that needs to be done is to obtain a sample of the originalmodule, and then the code word of this module may be read and copymodules may be manufactured with the same code word.

From U.S. Pat. No. 4,851,653 a system in which a confidential code isintroduced to a memory card to get access to the memory of the card isknown. On the card the introduced code is compared to a reference codeand only in case of a match between the introduced code and thereference code access is provided to the memory. A built-in time delayensures that a certain time must pass between each attempt atintroducing a code. In this manner it is ensured that an unauthorizeduser cannot just try with a high number of different codes in a shorttime. By systems of the above described type, in which modules areconnected to an apparatus, this system does not, however, provide anysecurity, because an unauthorized card can just read the code word usedby an authorized card and subsequently use the same code word, sinceonly one reference code is used. Therefore, the system can be cracked bya simple interception.

A similar system is used according to EP 379 333 in which a finger printof a person is compared with a reference finger print stored in digitalform on a credit card. Also here, a single reference code that can beuncovered by interception is used, and therefore also this system doesnot provide sufficient security in the systems mentioned above.

WO 86/03864 discloses a system for establishing connection between acomputer terminal and a main computer. In stead of a usual code word orpass word this system uses a new random code word each time a connectionbetween a given terminal and the main computer is to be established.Before termination of a connection the terminal generates a new codeword, which is sent to the main computer in which it is stored. It isalso stored in the terminal itself. Next time this terminal wishes aconnection to the main computer it must be able to provide exactly thiscode word to the main computer. In this way it is ensured that anunauthorized terminal cannot just intercept the code word from anauthorized terminal and subsequently use the same code word itself.However, this system only ensures that the main computer—when the systemhas been initialized and is in normal use—only accepts communicationwith a terminal to which it has communicated before. When a terminal isconnected to the computer for the the first time the security proceduremust be by-passed and, therefore, the security is totally dependent ofthe person taking care of the connection of new terminals to the system.Therefore, this principle cannot be used in the situations mentionedabove and with which the present invention is concerned.

Another principle that attempts to overcome the risk of interception ofa code word is known from DE 44 11 780. Here, the code word is changeddependent on the actual time. A user introduces on a terminal or amodule a primary code word which is then converted into a correspondingsecondary code word. This code word is combined with a time signalrepresenting the actual time, which is received from a radiotransmitter, and the result is used as address to a ROM device of e.g.32 kbytes. The content of the selected address is transmitted to thereceiver unit which has a similar ROM device and knows the correctsecondary code word. Also here the known secondary code word is combinedwith the actual time signal to form an address to the ROM device and theresulting content must correspond to that received from the terminal. Asthe actual time signal is changed all the time a code word that isintercepted can only be used for a very short time, i.e. until the timesignal is changed. This could e.g. happen every 6 minutes. However, thisprinciple has the drawback that if an unauthorized user once knows theprinciple he only has to get access to an authorized unit and then copythe ROM device, which can be done in a very short time. With a copy ofthe original ROM device the unauthorized module can without anydifficulty generate correct code words. It is also a drawback with thisprinciple that the central apparatus as well as each unit or module mustbe provided with a radio receiver for the time signals and also must beplaced in a location where these signals can be received.

SUMMARY OF THE INVENTION

Accordingly, the object of the invention is to provide a method and asystem which ensure that only modules of the specific type can beconnected to the system, and in which the incorporated code circuits areimpossible to copy with a reasonable period of time.

This is achieved according to the invention by a method wherein a largenumber of different code words is stored in the code circuit on modulesof the specific type, and wherein the code circuit is moreover soadapted that a code word can be output correctly only after the lapse ofa prefixed period of time, which is considerably longer than the normaloutput time determined by the implementation of the code circuit, aftera previous output of a code word.

When ensuring on one hand that a large number of code words is presentand on other hand that a considerable period of time has to elapsebetween each time a code word can be output, then it will take anextremely long time to output and thus copy the contents of the codecircuit. Thus copying of the code circuit has been made impossible inpractice.

In an expedient embodiment, the code circuit on each module comprises anaddressable storage in which one of said code words is stored on eachstorage address.

The code word of a given storage address in said storage is allowed tobe the same for all the modules, it is ensured that the same codecircuit may be used on all the modules, and that it therefore sufficesto store one set of reference code words in the apparatus. Aparticularly expedient embodiment is obtained when the reference codewords of the apparatus, are formed by a code circuit like the codecircuits arranged on the modules. It is hereby ensured in a simplemanner that it will be just as difficult to copy the code words from theapparatus as from the individual modules.

When moreover, the apparatus is adapted to read code words from the samestorage address or addresses on each module at start, it is ensured thatthe apparatus need only read code words from its own code circuit or itsown reference table once, since the same answer is to come from all themodules. This will save some time particularly in the situation wherethe apparatus contains a code circuit like that of the modules, since,otherwise, the apparatus would have to wait said period of time betweeneach output from its own code circuit.

As mentioned, the invention moreover concerns a module which may be usedin a system and a method as described above.

Either, the code circuit of the module may comprise means forcalculating code words from a bit pattern consisting of a plurality ofdigital input signals, or, as stated in claim 9, it may comprise anaddressable storage in which one of said code words is stored on eachstorage address. In the latter case, the addressable storage mayexpediently be of ROM type.

The code circuit is adapted to receive an address consisting of a largenumber of bits and to calculate, from this, a modified addressconsisting of a smaller number of bits, and the number of storageaddresses is adapted such that the smaller number of bits is justsufficient to address all the storage addresses, it is ensured that thecopying time will be extremely great even with a storage of a limitedsize, since, seen from the outside, the storage appears to have a numberof bit positions which corresponds to the large number of bits. Thus, ife.g. a 32-bit address is used, which is modified to a 16-bit address inthe code circuit, a storage circuit of 64 kbytes will look like astorage circuit of 2³² bytes, and, if the preselected period of time ise.g. one second, it will take 2³² seconds, which correspond to more than136 years, to output and thereby to copy the contents of the codecircuit.

In particular when the code circuit is adapted to receive an addressconsisting of a large number of bits, it may be advantageous, to adaptthe code circuit to receive said address in serial form.

The means necessary for determining the prefixed period of time may bepositioned internally in the code circuit. This ensures that there is nopossibility of affecting this period of time from the outside, nor is itthus possible to increase the output rate. On the other hand, thecomponents required for this will take up space on the code circuititself. Alternatively, the code circuit may comprise means fordetermining the prefixed period of time by counting a plurality of clockperiods for a clock signal which is supplied to the code circuit.Component space may hereby be saved in the code circuit; but it will bepossible to increase the output rate by increasing the frequency of theexternal clock signal. However, this may be counteracted in a simplemanner by selecting a clock frequency which is close to the maximumclock frequency at which the circuit can operate. If it is attempted tooutput the code words with an even higher frequency, the circuit willmerely stop operating. A lower frequency will correspondingly mean alower output rate.

In an expedient embodiment, the code circuit is implemented as acustomer-specified integrated circuit (ASIC), which comprises theaddressable storage as well as the means for determining the prefixedperiod of time. This improves the possibility of preventing others fromoutputting and thereby copying the contents of the code circuit within areasonable period of time.

Either, the means ensuring that a code word can be output correctly onlyif a prefixed period of time after a previous output has elapsed, may beadapted simply not to apply a code word if output is requested beforethe lapse of said period of time, or, where such output is requested,they may be adapted to output one or more wrong code words. The latterpossibility makes it even more difficult to perform unauthorized outputof the contents of the code circuit.

Further, the code circuit may be adapted such that a code word can beoutput correctly also only if said period of time has elapsed from thestart of the module concerned. This ensures that also the first outputcan only take place after said time delay.

Finally, as mentioned, the invention also concerns a code circuit forthe storage of a plurality of code words, and a storage medium for thestorage of data and for use in a system as well as a method as describedabove. Such a storage medium is adapted such that data can be outputcorrectly from the storage medium only after the lapse of a prefixedperiod of time, which is considerably longer than a normal output timedetermined by the implementation of the storage medium, after a previousoutput of data.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will now be described more fully below with reference tothe drawing, in which

FIG. 1 shows a system in which the invention may be applied,

FIG. 2 shows a block diagram of a code circuit according to theinvention,

FIG. 3 shows an embodiment of the code circuit in which an externalclock signal is used,

FIG. 4 shows an embodiment of the code circuit in which an internalclock generator is used, and

FIG. 5 shows an embodiment of the code circuit in which a modifiedaddress is calculated.

DETAILED DESCRIPTION OF THE INVENTION

FIG. 1 shows an example of how the invention may be applied to ensurethat modules to be connected to an apparatus or a system are of aspecific type. The figure schematically shows a system 1 which consistsof an apparatus 2 and a plurality of modules, of which the modules 3 and4 are shown here. The system 1 may e.g. be an electronic control systemfor a manufacturing process or a network element in a telecommunicationssystem, and in that case the apparatus 2 may contain a central controlunit 5 and other common components for the system, while the modules 3and 4 may be printed circuit cards including the system input and outputcircuits, which may be provided in arbitrary numbers, and the system maytypically be extended later by the addition of further printed circuitcards. Since these printed circuit cards will frequently be added to thesystem after its initialization, it may be of great importance to beable to ensure that only printed circuit cards of a specific andapproved type can be connected. This is done partly to be certain thatthe system, also after the addition, will be able to comply with thespecifications originally given, and partly to ensure for commercialreasons that no so-called pirate copies of the printed circuit cards areused.

Such a security may be established e.g. by providing each of the printedcircuit cards 3, 4 with a code circuit 6, 7, which is capable, onrequest, of giving a predetermined code word. When e.g. the printedcircuit card 3 has been connected to the system, the central controlunit 5 may request the printed circuit card 3 via the connection 8 toidentify itself by means of the code circuit 6 by giving the correctcode word via the connection 9. As mentioned before, this system,however, has the drawback that it will be relatively simple for a copysupplier to copy the code circuit 6 so that also the copy printedcircuit cards will be capable of giving the correct code word.

This is remedied by the invention in that, for one thing, the codecircuit 6 contains a large number of code words, and the control unit 5can then request the code circuit to give an arbitrary one of the manycode words via the connection 9. This may be done e.g. in that the codecircuit 6, as shown in FIG. 2, contains a ROM 10 having a plurality ofaddresses, which each contain a code word. The control unit 5 thentransmits a request for a code word and the address of the desired codeword on the connection 8. The addresses and the code words may betransmitted via the connections 8, 9 as serial or parallel datadepending on the structure of the system in general. In addition to theconnections 8, 9, a plurality of connections will usually be providedbetween the apparatus 2 and the printed circuit cards 3, 4 owing to theproper function of the system. These connections do not concern theinvention and are therefore not shown in the figure.

Although the many code words per se make it more difficult to copy thecode circuit 6 or its ROM 10, it is however, still not impossible to doso, as it usually just takes a little longer to read one storage addressat a time and then to copy it. Therefore, the circuit is designed suchthat it is not possible to read the contents of the individual storagecells quickly in succession, since, as shown in FIG. 2, it moreovercontains a time delay circuit 11, which ensures that a certain time hasto elapse between each output of the contents of a storage cell. Thisperiod of time may e.g. be of the order of one second. If e.g. a ROM of64 kbytes is used, it will thus take 65 536 seconds, corresponding to alittle more than 18 hours, to output all the code words. As will appearin more detail from the following, this time may be increasedconsiderably by simple means. The circuit 11 may either just delay eachoutput by said time, or it may release the contents of the storage cellright away and then prevent new output requests until said period oftime has elapsed. In the former case, this means that there will also bea delay at the first output after the start of the system or theconnection of the printed circuit card. This means in both cases thatcorrect code words can be output only when the individual storage cellsare output at a suitably low rate such that it will be an impossibletask to read the contents of the entire storage medium, thereby makingit an impossible task to copy the code circuit 6. In the periods where acorrect code word cannot be given owing to the time delay, the codecircuit may be designed not to give a code word at all. This may e.g. bedone in that the code word output or outputs are in a tristate mode orsimply emit a byte exclusively containing 1 s or 0 s. Alternatively, thecircuit may be designed to give an arbitrary, but wrong code word duringthis period, thereby making it even more difficult to copy the contents,as it will not be known whether the code words output are actuallycorrect. Examples of embodiments of the time delay circuit 11 will bedescribed more fully below.

When a new module or printed circuit card, e.g. the printed circuit card3, is to be connected to the system, the first step is to place theprinted circuit card in e.g. a connector, thereby connecting it to thepower supply of the system, and the control unit 5 will detect that anew printed circuit card has been connected to the system. The timedelay circuit 11 on the printed circuit card 3 ensures that no correctcode words can be output the first second after the connection of theprinted circuit card. The control unit 5 will therefore wait one secondand then generate a random address and request, via the connection 8,the code circuit 6 to give the associated code word. The circuit 6 findsthe correct code word and returns it via the connection 9 to the controlunit 5. The control unit 5 compares the received code word with a listof reference code words, and if the code word received is correct, theprinted circuit card 3 will be accepted and added to the system. If, onthe other hand, the code word received is wrong, the printed circuitcard will be rejected.

It is important of course that the list of reference codes words isconcealed well, since, otherwise, it will be possible to copy thecorrect code words from it. Optionally, the list may be encrypted. Ifidentical code circuits are used on all the modules, i.e. all of themcontain the same code words on the same addresses, it will be anexpedient solution simply to provide the control unit 5 with a codecircuit 12 like the one used on the modules, since, then, the controlunit is merely to address the same (random) address in its own codecircuit 12 and in the code circuit 6 on the module just connected andthen compare the two code words. This also means that, at the start ofthe entire system, the control unit 5 is just to address the same(random) address in its own code circuit and in the code circuits oneach of the connected modules, since the control unit is to expect thesame answer from each module. As a result, the control unit does nothave wait one second between each inquiry to a module, which would delaythe start of the system by a second per module. This would have beennecessary if different code words were requested from each module,since, then, the control unit would have to address a new address in itsown code circuit each time. To make it impossible that a copy module inthis situation just reads on the data bus which code word is given fromanother module and then merely gives the same word itself, the controlunit may be caused to inquire for a new and random code word from allthe modules at regular intervals in operation. A copy module, which hasmanaged to get through the start phase merely by giving the same answeras the other modules, will then be revealed by the next random inquiry.

It is important that the storage 10 of the code circuit and the timedelay circuit 11 are so arranged with respect to each other as to makeit impossible to get access to the connections between the two circuits,since, otherwise, it would be possible to evade the time delay merely bybypassing the time delay circuit 11 when outputting and copying thecontents of the storage 10. Therefore, the code circuit 6 mayadvantageously be designed as a user-specified integrated circuit, alsocalled ASIC. An example of an ASIC circuit 13 is shown in FIG. 3.

The circuit is composed of the two previously mentioned elements, theROM 10 and the time delay circuit 11. The ROM 10 is implemented suchthat the connections related to control reading from the ROM are presentonly internally in the ASIC. This prevents unauthorized reading of thestorage contents. The read input 16 of the ROM is connected directly tothe timer circuit 11. The address bus 14 and the code word bus 15 areexternal connections. The connections 14 and 15 may be parallel as wellas serial, the serial embodiment being most frequently used in apractical design to occupy the fewest possible branch connections on theASIC. The address 14 is used for addressing the ROM 10, in which thepreviously mentioned code words are already stored. When a code delaytime determined by the timer has elapsed, the addressed code word isoutput on the code word bus 14 by activating the read input of the ROM.

The time delay circuit 11 is here shown implemented by means of acounter circuit 17, which divides a clock signal on the line 18. If aclock signal of e.g. 8 MHz is used, a count pulse per second may beobtained by dividing by 8*10⁵. The signal of 8 MHz may be a signal whichis already used in the system and is therefore available on the printedcircuit card concerned. The frequency may advantageously be selectedclose to the maximum operating frequency of ASIC, since it will then beimpossible to reduce the output time considerably merely by increasingthe frequency of the clock signal 18.

The delay time begins to elapse when an address is applied to theaddress bus 14, or when the time delay circuit 11 is activated by aseparate control signal 19. When the code delay time has elapsed, theread signal 16 of the ROM is activated, and the desired code word may beoutput on the code word bus 15. The ROM on the integrated ASIC can thusjust be read at the intervals predetermined by the time delay circuit,which, as mentioned, are selected to have a duration of one second inthe present example.

The field 20 on the ASIC just indicates that space for other componentsmay be provided on the circuit.

FIG. 4 shows an ASIC circuit 21 having a somewhat differently designedtime delay circuit 22. Instead of dividing an external clock signal 18,the circuit 22 here incorporates an internal clock generator 23 whichcan generate a corresponding clock signal itself, so that the time delayis completely independent of external signals. Such an internal clockgenerator may be implemented in a known manner e.g. by interconnectingtwo gates in a feedback loop. The rest of the circuit is unchanged withrespect to FIG. 3.

It should be noted that, instead of the ROM 10, it is possible to useother corresponding types of circuits, such as e.g. a storage of EEPROMtype or a RAM. In the latter case, measures must be taken to avoidunintentional erasure of the stored code words. The use of these storagetypes ensures that the code words need not be determined when the ASICis designed, but may be input at a later time, e.g. in the manufactureof the module or printed circuit card concerned. Alternatively, insteadof a storage, it is possible to use a combinatorial circuit which iscapable of calculating an associated code word on the basis of a bitpattern (i.e. the address) on the input. Such a circuit may beimplemented in a known manner, provided that an algorithm to calculatethe code words has been determined beforehand.

No matter whether a storage or a combinatorial circuit is used, the timeit takes to output and copy the code circuit contents may be increasedconsiderably by using an address having a larger number of bits than theone corresponding to the number of code words, and then modifying thisaddress. This may be done e.g. as shown on the ASIC in FIG. 5, in whichthe ROM 10 may be of 64 kbytes here too, which means that it may beaddressed by an address of 16 bits. An address modification circuit 25receives an address of 32 bits via the address bus 23 and converts itinto two addresses of 16 bits each. Each of these two addresses is usedfor addressing the associated code words in the storage 10 via the bus24, and these are output via the bus 26 to a calculation circuit 28calculating, from the two code words, a new code word which is returnedto the control unit via the code word bus 27.

Alternatively, the address modification circuit 25 may be adapted toconvert the address of 32 bits into a single new address of 16 bits,which then designates a code word in the ROM 10, as described earlier.In that case, the calculation circuit 28 may be omitted, since just asingle code word is given from the ROM.

When an address of 32 bits is modified in this manner to one or moreaddresses of 16 bits, the time it takes to output the entire storagecontents may be increased very considerably. Still assuming a time delayof 1 second between each output, it will take 2³² seconds to output allcombinations, even though the storage is just 64 kbytes in reality. The2³² seconds correspond to more than 136 years, which is more thansufficient in practice to present copying of the code circuit.

Finally, it should be mentioned that the connections 8, 9 between theapparatus 2 and the individual modules 3, 4 may be replaced by awireless connection, as the apparatus and the modules may e.g. beprovided with radio transmitters/receivers or infraredtransmitters/receivers. This ensures that the principle may also beapplied in systems in which the individual subcomponents are not alreadyelectrically interconnected. This may be the case e.g. with spare partsfor cars or access cards to access control systems.

Although a preferred embodiment of the present invention has beendescribed and illustrated, the invention is not restricted to it,. butmay also be embodied in many other ways within the scope of thesubject-matter defined in the following claims.

What is claimed is:
 1. A method of ensuring that modules to be connectedto an apparatus comprising a processor are compatible with theapparatus, wherein the modules are provided with a code circuit whichoutputs one or more code words on request, and wherein the processor ofthe apparatus, when a module has been connected to the system, reads oneor more of said code words from the code circuit of the module, comparesthe read code word or words with reference code words stored in theapparatus, and rejects the module if the read code word or words do notcorrespond to the reference code words, characterized by adapting thecode circuit on the modules to output a large number of different codewords, and by moreover adapting the code circuit such that a code wordcan be output correctly only after the lapse of a prefixed period oftime, which is considerable longer than a normal output time determinedby the implementation of the code circuit, after a previous output of acode word.
 2. A system comprising an apparatus and a plurality ofexternal modules being connected to the apparatus, wherein the modulesare provided with a code circuit which outputs one or more code words onrequest, and wherein the apparatus has a processor which, when a modulehas been connected to the system, is adapted to read one or more codewords from the code circuit of the module, to compare the read code wordor words with reference code words stored in the apparatus, and toreject the module if the read code word or words do not correspond tothe reference code words, characterized in that the code circuit on themodules is adapted to output a large number different code words, andthat it moreover comprises means ensuring that a code word can be outputcorrectly only after the lapse of a prefixed period of time, which isconsiderably longer than a normal output time determined by theimplementation of the code circuit, after a previous output of a codeword.
 3. A system according to claim 2, characterized in that the codecircuit on each module comprises an addressable storage in which one ofsaid code words is stored on each storage address.
 4. A system accordingto claim 3, characterized in that the code word of a given storageaddress in said storage is the same for all modules.
 5. A systemaccording to claim 3, characterized in that the apparatus is adapted toread code words from the same storage address or addresses on eachmodule at start.
 6. A system according to claim 2, characterized in thatthe reference code words of the apparatus are formed by a code circuitlike the code circuits arranged on the modules.